Working with administrator accounts using PowerShell

PowerShell not only allows you to script out routine tasks (as we’ve seen in previous posts,) but it also allows you to complete tasks on remote computers if you’re unable to physically get to them. Let’s take a look at a useful code snippet that will let you work with a local administrator account… on a remote computer.

Photo by Sean Lim on Unsplash

One of the day-to-day activities you may have to perform while working on a help desk is installing and uninstalling software for users. These tasks, among others, require administrator level permissions on the computer. As a front line tech, your account will most likely have this access on all user computers whereas the users themselves will not (to prevent them from accidentally installing malware, for example.)

This means that ordinarily you need to physically have access to a computer in order to install something for a user (in order to enter administrator credentials during an installation.)

So far, so good. But what happens if a user desperately needs something installed while they’re on the road?

Say, for example, that a salesperson was just given a laptop upgrade. They find themselves at a prospective client’s office only to find that Microsoft Office was not installed on their shiny new computer. Oops! How will they give that PowerPoint presentation?

The script below will temporarily enable a local administrator account on a remote computer so they can install what they need themselves. When they’re prompted for administrator credentials, they’ll use the administrator account with a password that you’ll have created for them.

There are a few assumptions I make, and I have a few warnings for you as well, so let’s get those out of the way first and then we’ll discuss the script.

Warnings

I’ll give you my standard PowerShell warning first: never run a PowerShell script you found on the Internet without first understanding what it does fully as well as the implications for running it. PowerShell is very powerful (pun intended,) but it can also wreck your world very easily if you’re not careful.

This script will enable a local administrator account, which may be against your company’s policies. So, make sure you obtain authorization to do this!

Once a user has access to a local administrator password, there’s nothing to stop them from using it to install anything else they may choose, so be mindful of that when using this technique! (The script below will make sure the account expires, but they’ll still have plenty of time until that happens.)

Assumptions

The script needs to be run by someone with administrator privileges on the remote computer, which I’ll assume you have as a tech.

We’ll assume the name of the administrator account is “Administrator”. This is standard, but your company might use a different naming convention for local administrator accounts.

The script requires that you are on the same network as the remote computer, such as being on the same VPN (virtual private network) and that there are no firewall rules in place that will block the script’s execution.

I’ll assume that  you’ve obtained your manager’s permission to actually perform these actions. (DO IT!)

And, finally, I assume that you have psexec installed on your machine. If you don’t, you’ll want to do that before running this script. (I’ll explain a bit about psexec in a moment.)

And now, the script

#This script will enable a local admin account and then set it to expire on a remote machine.

#Prompt for the computer name where the local account resides.

$MachineName = read-host -prompt “Please enter the machine name”

write-output “The administrator account will expire at the beginning (12:01am) of the date you specify.”

$ExpirationDate = read-host -Prompt “Please enter expiration date (format = MM/DD/YYYY)”

$User = “Administrator”

$Password = “S1l1conP@th”

#Activate the account and set the account to expire at the specified date.

psexec \\$Machinename net user $User $Password /active:yes /expires:$ExpirationDate

Let’s now take a look at what all this does in plain English.

Any line that starts with a # means that it’s a comment. PowerShell will not execute anything on this line, it’s there just for clarity. On a small script like this one, comments aren’t always necessary, but it’s a good habit to get into and will be useful as your scripts get longer and more complicated.

In the first part of the script, we’re prompting the person running the script (read: you) to provide the name of the remote machine, which we assign that to the variable $MachineName. (When you see a $ in a script, this indicates a variable.)

Next, we print out some instructions to the screen and then prompt for the expiration date. The account will actually become inactive at midnight, but I write 12:01 because in my experience folks get confused with midnight: is midnight the end of the day you specified, or the beginning? Writing 12:01 makes it crystal clear that the second it becomes the day you’ve specified the account becomes inactive.

Next, we declare a few variables such as the administrator name and the password we want to set for it. You’ll need to communicate this password verbally to the remote user.

The last bit is where the magic happens! We use psexec to run a command on the remote computer. But first, allow me a quick aside about a fellow named Mark Russinovich. Mark wrote a series of tools called Windows Sysinternals and very generously made them available for free. These tools were so useful that 1) they ended up being used by just about all systems administrators around the world and 2) Mark ended up getting hired by Microsoft. Mark’s written a ton of books on sysinternals like this one, but you can also look up each particular tool online to understand what each one does such as this link for psexec.

So, the line first calls psexec and points it at the machine you specified earlier. Everything that happens after the machine name is the equivalent of sitting at the machine itself with an open CMD window. Now, something happens which is one of the reasons I love PowerShell so much – we’re no longer using PowerShell, we’re using the net user command which is native to the CMD shell.

Whoa! Let’s take a moment to appreciate that.

PowerShell doesn’t make you relearn commands that you already know and use. For example, if you’re used to using the ping command from a command prompt, you can still use the ping command even though PowerShell has an equivalent command, test-netconnection. When you use ping, PowerShell will open a command prompt in the background and run the command that way. Pretty neat, huh?

The next part of the last line will pass along the administrator name you specified and the password you created. Then, it activates that account and sets it to expire on the day you specified. This last part is important because you don’t want an active administrator account that can be used indefinitely. You’re really only giving the user temporary power because they’re in a bind, but you don’t want them to have this level of access forever.

As always, I encourage you to learn PowerShell early on in your career. The book I personally used (and highly recommend!) is PowerShell in a Month of Lunches. PowerShell is one of the few tools that will actually be useful right from the start and keep being useful twenty years in since it’s used for just about every Microsoft product, so start learning it today!

With each post, I cover a new topic to help you get your start (or keep progressing) in your IT career. If it’s your first time visiting this blog, start here. Or, see all my posts about interview questions you should be able to answer.